Israeli cyber company NSO is under fire once more after a wave of reports claimed its Pegasus spyware has been used by authoritarian regimes around the world to hack the smartphones of journalists, government officials and human-rights activists.
The Pegasus Project, as it is dubbed, is an investigative journalism initiative to reveal such alleged abuses using the Pegasus spyware, which is marketed as surveillance of criminals and terrorists, in which the technology was actually used by NSO’s clients to spy on people of interest.
This is not the first time NSO has been under scrutiny. That same Pegasus spyware was accused in 2018 of being used by Saudi officials to monitor journalist Jamal Khashoggi’s family prior to his death. Saudi dissident Omar Abdulaziz had filed a lawsuit, saying his WhatsApp messages were intercepted and used to justify Khashoggi’s murder.
According to The New York Times, Saudi Arabia spent $55 million on NSO’s spyware in 2017.
Facebook has sued NSO for exploiting a flaw in WhatsApp to gain access to text messages by its users. Amnesty International attempted to cancel NSO’s export license in a lawsuit, but the petition was rejected by the Tel Aviv District Court.
NSO has denied the Pegasus Project’s claims, saying it “is full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources.”
As the Post’s Zev Stub reported, the company has for years responded to accusations that it works with governments that abuse human rights by saying it only sells its services to carefully vetted organizations for the purpose of saving lives. The company’s sales are subject to the approval of Israel’s Defense Ministry, and the Tel Aviv District Court last year said its process for vetting NSO clients was sufficient.
The company claimed it had refused contracts worth as much as $300m. in cases where the client did not pass its process of due diligence focused on human rights.
The Defense Ministry has solely approved the export of products such as Pegasus by Israeli companies “exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counterterrorism,” the ministry said in response to the investigation.
The allegations raised by the Pegasus Project are serious and raise the issue of how much NSO, despite following its self-stated stringent guidelines in determining who it sells to and monitoring its use post-sale, is responsible for its product being exploited for nefarious means.
Assuming the best-case scenario in which NSO truly sold an independent product that was meant for security purposes and followed all of the necessary human-rights policies when transferring the product to a trustworthy user, there is still an ethical question of how much of the responsibility lies with the spyware producer.
This is not unlike the current havoc on Twitter and Facebook, where hateful content of the worst sort is shared, and people such as Mark Zuckerberg and Jack Dorsey are being held accountable for not filtering and limiting the posting of racist, antisemitic and generally vile content on their platforms.
Twitter and Facebook have fact checkers on reports, and Facebook even has automated filters on some content, alongside strict regulations about how their products are to be used. Facebook says hate speech, threats and graphic violence – all abusive content – are not allowed and that such content, once found, is taken down immediately.
Granted, NSO is not a social-media company. But at what point does NSO need to take responsibility for the actions of its products if, indeed, the claims as outlined in the Pegasus Project prove to be true?
When products capable of destruction are sold, such as weapons, the background of the user is thoroughly investigated before being approved for sale.
In Israel, carriers of handguns are required to enter the gun range to test their correct usage and the safety of the weapon regularly as a form of upkeep.
NSO is adamant that it maintains the strictest of guidelines and supervision to ensure that its product does not fall into the hands of those who would use it in ways outlined in the report. But if the reports are true, then those standards are not doing the job.